John Kindervag's Blog

Visa just announced the expansion of their No Signature program. Citing its "popularity", Visa notes that: "According to a Visa Inc. survey, 69 percent of participants surveyed cited either convenience or speed as the primary reason for using their credit or debit card." Wow.

What this seems to signal is that Visa, and perhaps the other card brands, feel that they will make more money by eliminating barriers to the sale, such as the 2.2 seconds needed to sign your name, than it would lose in fraudulent transactions, considering this program is for transactions of US$25 or less. Also, it appears that people no longer know how to sign their names.

I have often heard (in low, barely audible whispers) that US consumers were too lazy to care about security, which is why the US will probably never have CHIP and PIN transactions for enhanced credit card authentication. We Americans are too darn busy to push 4 numbers on a key pad (4.3 second). This drives folks in the other parts of the world crazy as they are in love with CHIP and PIN and, mistakenly, think that this technology eliminates all transaction risk. CHIP and PIN cards still have a mag stripe that can be scanned, and skimming is still a problem. It's a great authentication method, however, and would really help reduce some of the smaller, card-present CC frauds were we to adopt it.

Americans need more paranoia about credit card theft. We are much more likely to suffer some type of credit card fraud or be affected by a major credit card breach than a terrorist attack, but for some reason we are unwilling to punch in a few numbers to help protect ourselves.

The Attorney General of New York is investigating a large group of online retailers to see if they have been sharing your credit card data with third parties without your knowledge or permission. In a press release, the AG's Office details the scheme, including the fact that you may unknowingly be giving someone other than the retailer you are shopping with your credit card number:

"Information about joining the membership program and its ramifications, including the fact that the consumer is agreeing to transfer his or her credit or debit card account information, is buried in fine print and cluttered text."

My gut tells me that this violates the spirit, if not the letter, of the PCI Data Security Standard. According to the PCI DSS:

"Additionally, merchants and service providers must manage and monitor the PCI DSS compliance of all associated third parties with access to cardholder data."

It is probably safe to assume that the business agreement around the data sharing identified by the New York AG's office did not include language surrounding PCI compliance.
An MSNBC story on the investigation puts it this way:

Categories:

Wireless hacking Guru, Josh Wright,has just announced that he has created havoc with a MiFi personal access point.MiFi is a little device that turns 3G wireless signals into WiFi. The cool thing is that the wireless signal can be shared with other nearby computers. According to Josh, he has found a way that, "An attacker can recover the default password from any MiFi device." This is big news because anyone who is involved with wireless ne

Categories:

Security Researchers in the UK say that the 3-D Secure (3DS) system for credit card authorization, a protocol that was "developed by Visa to improve the security of Internet payments," has significant security weaknesses. It is used by both of the ginormous card brands, known as "Verified by Visa" and "MasterCard SecureCode."

This could be a big deal.

In a recent paper, the researcher calls out 3-D Secure as a security failure that was pushed on consumers by financially incentivized merchants because, "its use is encouraged by contractual terms on liability: merchants who adopt 3DS have reduced liability for disputed transactions. Previous single sign-on schemes lacked liability agreements, which hampered their take-up."

According to the authors:

"3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. We suggest a path towards more robust authentication that is technologically sound and where the economics would work for banks, merchants, and customers - given a gentle regulatory nudge."